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The  modern  era  of  computing 
has  been  shaped  by  the  mobility 
revolution. 

Desktops  are  beginning  to 
fade  in  prominence  as  laptops, 
netbooks,  ultrabooks,  and  other 
portable  computers  take  over. 

The  pursuit  of  Moore's  Law 
indicates  that  in  the  history  of  com¬ 
puting,  the  number  of  transistors 
that  can  be  placed  inexpensively 
on  an  integrated  circuit  doubles 
approximately  every  two  years. 
This  fact  has  resulted  in  an  explo¬ 
sion  of  a  new  class  of  portable 
computers  like  Smartphones  and 
tablets  that  are  beginning  to  take 
hold  in  the  enterprise. 

Information  technology  de¬ 
partments  have  been  flooded  with 
radical  new  management  ideas 
such  as  "Bring  Your  Own  Device." 
Information  assurance  and  com¬ 
puter  security  have  become  central 
concerns  in  every  organization. 

The  challenges  of  managing 
a  multitude  of  computing  de¬ 


vices  and  maintaining  the  balance 
between  security  and  usability 
become  more  complex  every  day. 

Systems  management  has 
long  been  the  cornerstone  of 
enterprise-wide  administration.  A 
large  organization  like  the  Army 
has  a  clear  requirement  to  create 
automated  centralized  processes  to 
save  time  and  money,  increase  pro¬ 
ductivity  and  application  access, 
and  provide  a  secure  computing 
environment  that  minimizes  risk. 
Management  tools  and  processes 
have  evolved  from  rudimentary 
programs  such  as  shell  scripts  cre¬ 
ated  by  administrators  into  com¬ 
plex  platforms  and  product  lines. 
Solutions  from  multiple  companies 
allow  for  security  management, 
server  availability  monitoring, 
software  inventory  and  installa¬ 
tion,  anti-virus  and  anti-malware 
management,  network  capacity 
and  utilization  monitoring,  and 
user  activity  monitoring.  Using 
a  combination  of  these  tools,  an 
organization's  managers  can  enact 
and  enforce  enterprise  information 


technology  policies  and  proce¬ 
dures. 

Traditional  desktop  manage¬ 
ment  evolved  out  of  network 
management  initiatives.  Client 
desktops  connected  to  local  area 
networks  that  provided  services 
required  by  users.  These  were  of¬ 
ten  simple  services  like  a  corporate 
portal  or  file  sharing.  As  software 
and  operating  systems  evolved,  the 
concept  of  a  "managed  desktop" 
became  popular.  Using  Micro¬ 
soft's  Active  Directory  (or  other 
open  source  tools  such  as  Open 
Directory  for  Linux/ Unix  based 
computers)  system  administrators 
could  apply  policies  to  desktops. 
These  policies  could  be  linked  to 
a  user  or  to  a  particular  policy.  A 
managed  desktop  system  could 
also  provide  authentication  and 
authorization  to  all  services  includ¬ 
ed  in  a  network. 

Policies  evolved  over  time 
allowing  for  fine-grained  control 
over  every  aspect  of  the  user's 
experience.  Administrators  could 
ensure  a  computer's  software 
was  up-to-date  on  patches  and 
anti-virus  definitions.  They  could 
remotely  install  new  software  on 
a  group  of  desktops.  Security 
could  be  enhanced  by  mandating 
password  policies  (or  smart  card 
authentication),  disabling  compo¬ 
nents  of  the  operating  system  that 
were  deemed  unsafe,  allowing 
users  to  only  install  and  run  ap¬ 
proved  applications,  and  actively 
monitoring  the  desktop's  state. 

The  policies  could  be  applied  to 
computer  systems  or  to  users  and 
groups  of  users  allowing  great 
flexibility  in  the  implementation  of 
a  desktop  management  corporate 
policy. 

Over  time,  desktop  comput¬ 
ers  faded  and  laptops  became 
the  hallmark  of  corporate  use. 
Lightweight  and  portable  laptops 
allowed  traveling  users  to  con- 
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tinue  to  get  work  done  on  the  road.  Administrators 
provided  Virtual  Private  Network  support  to  allow 
laptop  users  to  connect  to  the  corporate  LAN  and 
access  services  that  were  not  publicly  available  on 
the  internet.  Desktop  policy  would  be  enforced  and 
updated  when  the  user  connected  their  laptop  to 
the  VPN.  Some  risk  was  assumed  as  laptops  were 
now  able  to  be  connected  to  external  networks, 
losing  the  protection  and  monitoring  ability  of  the 
corporate  LAN  when  not  connected  to  a  VPN.  Sys¬ 
tem  Administrators  had  to  become  more  vigilant  in 
enforcing  IT  policies  and  ensuring  laptop  comput¬ 
ers  were  up  to  date. 

Continuing  along  this  theme,  smartphones  and 
tablets  have  arrived  which  bring  ever  smaller  form 
factors  that  are  highly  portable  to  the  fold.  Cellular 
networks  keep  these  devices  attached  to  the  inter¬ 
net  continuously  allowing  for  data  consumption 
at  any  time,  but  also  greatly  expanding  the  risks 
of  attack  by  malicious  software  and  users.  Mobile 
operating  systems  are  often  limited  in  their  man¬ 
agement  capabilities  (although  this  is  improving 
quickly). 

Traditional  desktop  management  systems 
either  do  not  support  mobile  devices  or  have  a 
completely  different  way  of  management,  as  most 
mobile  devices  use  operating  systems  that  use  dif¬ 
ferent  security  models  and  systems  than  desktops. 
Mobile  devices  are  difficult  to  track  as  they  move 
on  and  off  of  a  corporate  LAN  or  change  physical 
locations  quickly.  There  are  many  different  models, 
operating  systems,  and  cellular  network  carriers 
adding  to  the  complexity. 

A  new  tool.  Mobile  Device  Management,  has 
evolved  that  can  mitigate  a  lot  of  these  risks.  Mo¬ 
bile  Device  Management  optimizes  the  functional¬ 
ity  and  security  of  a  mobile  device  in  relation  to 
corporate  policy;  much  like  desktop  management 
does  in  traditional  IT  settings.  Typical  MDM  solu¬ 
tions  include  a  server  component  that  can  send 
messages  and  commands  to  a  mobile  device,  and 
a  client  component  which  runs  on  the  handset  or 
tablet  and  implements  the  commands.  Newer 
solutions  do  not  require  a  client  component,  as  the 
client  is  embedded  into  the  mobile  operating  sys¬ 
tem  by  the  software  or  device  manufacturer.  The 
server  solution  can  be  hosted  as  a  corporate  service 
on  existing  infrastructure,  or  hosted  through  cloud 
services  provided  by  the  vendor. 

In  order  to  enable  a  device  for  management  it 
must  be  provisioned.  This  process  can  vary  from 
different  vendor  solutions,  but  it  is  commonly  ac¬ 
complished  by  visiting  a  web  page  or  installing  an 
application  from  a  public  market.  Once  this  client 
application  or  configuration  profile  is  installed  the 
device  is  linked  to  the  MDM  console  (which  is  often 
Web-based  for  ease  of  use).  The  MDM  administra¬ 


tor  can  then  push  a  profile  to  the  device  over  the  air 
that  would  alter  the  configuration  of  the  device.  The 
contents  of  the  profile  can  include  device  settings,  net¬ 
work  and  VPN  configurations,  account  settings,  secu¬ 
rity  policies,  password/ passcode  requirements,  report¬ 
ing  requirements,  and  more.  These  profiles  can  also  be 
sent  to  a  group  of  devices  or  group  of  users,  depending 
on  what  the  administrator  is  trying  to  accomplish. 
MDM  solutions  often  collect  a  lot  of  data  from  the  mo¬ 
bile  device. 

Global  Positioning  System  embedded  in  the  device 
is  used  for  geo-location  data.  A  summary  of  all  set¬ 
tings  and  device  conditions  can  be  retrieved.  A  listing 
of  messages/ calls  sent  and  received  and  their  dura¬ 
tions,  software  apps  installed,  and  security  state  of  the 
device  can  also  be  pushed  to  the  MDM  console.  All 
of  these  things  combined  with  the  ability  to  control 
almost  every  aspect  of  the  device's  configuration  leads 
to  some  interesting  and  novel  thought  about  how  to 
manage  a  network  of  computing  devices. 

An  administrator  can  develop  a  system  of  profiles 
that  increase  or  decrease  permissions  and  security  lev¬ 
els  based  not  only  on  the  user's  authorization  but  also 
based  on  the  state  and  location  of  the  device  or  even 
the  network  to  which  it  is  connected.  Tying  these  re¬ 
quirements  to  a  digital  certificate  required  for  network 
or  service  access  allows  administrators  to  ensure  users 
comply  to  a  policy  for  a  particular  network  or  resource 
in  order  to  connect. 

For  example,  a  user  is  issued  a  Smartphone,  which 
is  provisioned  to  use  the  MDM  system.  An  initial  pro¬ 
file  is  pushed  to  the  user's  device  over  the  air  (either 
an  open  corporate  access  point,  or  through  the  cellular 
network)  that  sets  initial  configuration  settings  and 
policies  such  as  disabling  the  camera,  creating  a  link 
to  the  corporate  portal  or  app  store,  or  adding  email 
account  or  wireless  network  settings.  The  user  is  now 
able  to  connect  the  Smartphone  to  the  corporate  net¬ 
work  and  access  services  according  to  their  authoriza¬ 
tion  level.  If  the  user  requires  access  to  a  secure  facility 
and  corresponding  network  they  could  connect  to  the 
MDM  system  and  request  access.  An  automated  or  ad¬ 
ministrator  controlled  process  could  then  push  a  new 
profile  to  the  device  with  the  new  security  settings  (dis¬ 
abling  wireless  radios,  GPS,  app  stores,  etc.)  that  are 
required  for  that  particular  building  or  network.  The 
user  is  then  allowed  to  access  those  services  as  long 
as  they  are  in  compliance  with  that  policy.  The  policy 
could  also  be  set  by  location,  i.e.  a  Sensitive  Compart- 
mented  Information  Facility  would  require  a  restricted 
profile  that  was  automatically  enabled  and  disabled 
upon  entering  and  exiting  by  the  system. 

The  addition  of  mobile  devices  to  the  Army  Enter¬ 
prise  has  often  been  impractical  due  to  many  factors 
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that  MDM  can  solve.  Using  MDM 
in  an  enterprise  solution  such  as 
the  DISA  DECC  (much  like  Enter¬ 
prise  email)  would  centralize  mon¬ 
itoring  and  security  profile  man¬ 
agement.  Access  to  administrative 
functions  could  be  passed  down  to 
unit  S6  sections,  giving  them  pow¬ 
erful  tools  to  rapidly  provision, 
secure,  track,  and  provide  a  true 
mobile  data  platform  for  our  force. 
Inventory  management  could  be 
simplified,  as  devices  would  be  lo- 
catable  through  the  MDM  platform 
at  all  times.  Lost  or  compromised 
devices  could  be  remotely  wiped 
by  the  MDM  system,  ensuring 
security  of  the  networks  and  data 
that  we  use  daily.  As  MDM  con¬ 
tinues  to  evolve  it  will  most  likely 
merge  with  and  augment  desktop 


management  solutions,  providing 
a  holistic  platform  that  administra¬ 
tors  and  commanders  can  use  to 
ensure  their  network  is  providing 
necessary  services  in  a  secure  and 
reliable  manner. 
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Acronym  QuickScan 


DECC  -  Defense  Enterprise  Computing  Center 
DISA  -  Defense  Information  Systems  Agency 
GPS  -  Global  Positioning  System 
IT  -  Information  Technology 


LAN  -  Local  Area  Network 
MDM  -  Mobile  Device  Management 
VPN  -  Virtual  Private  Network 
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